by 安全扫描
OpenClaw
安全
high confidence该技能的说明、要求和输出与其作为纯指令性代码安全审查清单的既定目的一致;未要求无关凭据,也未安装任意代码。
评估建议
This instruction-only skill appears coherent and low-risk, but check these before installing: (1) provenance — the metadata shows 'RedHat Dev' inside files but the registry owner differs; verify the author/owner you trust. (2) Access scope — the skill expects a 'scope' (files/diff); ensure you only supply the code you want analyzed and that the agent does not have unintended filesystem or repo access. (3) Secrets handling — the SKILL.md says to redact secrets, but confirm how the agent/platform ...详细分析 ▾
✓ 用途与能力
The name/description describe reviewing code for secrets, auth, injection, dependencies and unsafe execution; the SKILL.md contains step-by-step checks that map directly to that purpose and does not request unrelated capabilities.
ℹ 指令范围
Instructions are focused on reviewing a supplied 'scope' (files/diff) and list concrete checks. They do not direct the agent to call external endpoints or read unrelated system files. However, the guidance is somewhat high-level (expects the agent to determine how to scan the scope) and therefore relies on the agent having access to the repository or code artifacts provided by the user; that operational requirement is implied but not declared.
✓ 安装机制
There is no install spec and no code files to execute; this is instruction-only, so nothing is written to disk or downloaded at install time.
ℹ 凭证需求
The skill declares no required environment variables or credentials, which is proportionate. Be aware that to perform real reviews the agent (or caller) must supply the code/diff; the skill does not request repo tokens but practical usage may require the environment that hosts the agent to already have access to the codebase — that access is external to the skill and should be controlled by you.
✓ 持久化与权限
always is false and the skill does not request persistent presence or modify other skills. Autonomous invocation is allowed (platform default) but there are no other elevated privileges requested.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/24
axodus-security-checks 初始版本发布。 - 新增技能,支持结构化安全评审,聚焦密钥泄露、认证/授权缺陷、注入风险、依赖安全及不安全执行路径。 - 支持自定义输入范围、威胁模型、语言及约束条件。 - 输出基于证据的 YAML 格式报告,含严重等级与修复建议。 - 内置严格的密钥处理规则,敏感变更自动升级。 - 适用于部署前或重大安全相关变更后。
● 无害
安装命令
点击复制官方npx clawhub@latest install axodus-security-checks
镜像加速npx clawhub@latest install axodus-security-checks --registry https://cn.longxiaskill.com 镜像可用
技能文档
--- name: security-check description: 执行安全审查:secrets、auth、注入、依赖、不安全执行。 metadata: author: RedHat Dev version: 1.0.0 owner: RedHat Dev Agent category: quality
# SKILL: security-check
目的
对代码变更或子系统进行安全导向审查:secrets 暴露、auth 问题、注入风险、不安全依赖、不安全执行路径。何时使用
- 部署涉及用户输入、资金或凭据的功能前
- 引入新依赖或外部集成时
- 认证/授权变更后
输入
scope(必填,string):待检查的文件/模块/diffthreat_model(可选,string):受威胁资产与攻击者能力languages(可选,string[]):如["ts","py","solidity"]constraints(可选,string[]):合规规则或治理边界
步骤
- Secrets & 配置:
.env.example 不含真实 secret
- 输入处理:
- Auth/authz:
- 注入与不安全执行:
- 依赖:
- 可观测性:
验证
- 发现基于证据并给出修复方案
- 风险严重性分级(critical/high/medium/low)
- 安全约束强制而非“建议”
输出
安全报告(示例 schema): ``yaml
summary: ""
findings:
- id: "SEC-001"
severity: "high|medium|low"
issue: ""
location: ["..."]
remediation: ""
`` 安全规则
- 不泄露日志/配置中的 secret;需脱敏
- 不推荐禁用安全控制以“解堵”
- 涉及资金或治理的变更需升级